MalwareIntelligence is a site dedicated to research on all matters relating to anti-malware security, criminology computing and information security in general, always from a perspective closely related to the field of intelligence.

Phishing campaigns under a nomenclature similar to these (and earlier) leave evidence that the coverage they intend to take the creators of ZeuS is quite broad, and certainly in the next few days are other campaigns similar to this fraud.

Original 20.02.2010
ZeuS has a fairly large repertoire with proposed strategies to Scam to spread their trojan and phishing attacks against banks, many companies and well known.

We have recently warned of a campaign Scam using as cover to the IRS, which has been generating a long time but every so often is reactivated, forming a cycle that seeks to disseminate criminal ZeuS and that holds for all strategies.

This server is also currently serving another massive campaign, but spreading the trojan ZeuS through a Scam IRS. In this case, just change the folder where the package is housed, namely: hxxp://109.95.114.251/usa50/in.php

As we see, Zeus does not stop at his criminal career. In fact, there are also other campaigns more active, such as those involving a phishing attack by hiding under the VISA logo.

19.2.10

In recent weeks, SpyEye (a new financial trojan) has been the talk of many for the positive acceptance was so in the underground scene due to its balance about cost/benefit, and the great impact that achievement to whiten the features in its latest version that allows systems to eliminate the activities of your competition: ZeuS.

Our previous report, “SpyEye. Analysis of a new crimeware alternative scenario,” addressed known technical issues involving the activities of this threat.

In this second part we present the exclusive interview by Ben Koehl, Crimeware Researcher of Malware Intelligence. Through interviews with the creator of crimeware, we reveal information that shows some of the thought process and brains behind the creator of SpyEye. We also see the source code for the Zeus Killer addition.

The way that Gribodemon thinks is not unique anymore in the cybercrime world. We are seeing individuals and groups becoming more specialized in the services they provide and are no longer spreading themselves thin. There are many industries within the cybercrime world. From coding to infrastructure support to public relations.

There was a large language barrier between me and the author so I had to keep the questions short and basic so his translator program could handle them (Lingvo.) We broke up the conversation in pieces to make it flow better to the reader.

13.2.10

From this perspective, any news in a few minutes covering the media more important globally, or any event whose importance is known to people from all over the world, is an object in power to exploit his image with fraudulently the intention of spreading malware.

The Olympic Games 2010 to be developed in the Canadian city of Vancouver, is one of those events in which security professionals sharpen their senses because they know perfectly well that any campaign will find uses as an excuse to spread this event.

Under this premise, and began to spot the early signs. Here is a website exclusively created to spread malware, and whose vision is very similar to the actual page of the Olympic Games 2010.

Here we can see a screenshot of the actual page and false respectively, which notes that in addition to visual social engineering strategy employed, an important part of the deception lies in the domain name, namely:

Real Website - http://www.vancouver2010.com

Fake Website - http://vaucouver2010.com

In this instance, when the user accesses the fake page instead of automatically display the video presentation, is the alleged error in the flash plugin, offering to download a binary called flash-plugin_update.45125(MD5:45E21E0CDA8D456B26D1808D4ACB76B0) which is a malware with a very low detection rate.

The website is hosted on a German ISP, the IP address 188.40.84.202. However, the executable is downloaded from electricmediadata.com (67.15.47.189) housed in ThePlanet under ASN21844; identified as:

Botnet C&C servers

Phihing servers

Spam servers

Malware servers

Although this scenario at present not surprising, since it's well known that in the process of propagation/infection there is always an important element of deception, malware infection rate during the initial stage of propagation vector used as engineering social policy, remains very high.

This leads to two questions for anything trivial. First, the social engineering techniques are a key condiment spread processes don't go out of fashion, and on the other, depending on this and, especially taking into account their high impact in the level of effectiveness, it seems that there is a very poor culture in prevention, or is that... the processes of awareness simply not enough?

12.2.10

In one of our most recent posts have published a series of links to phishing pages against various entities. Today we will analyze one of them, an attack aimed at Wachovia bank customers.

To this end, we got the full kit and have begun to analyze the files contained in it. Basically there are a few files PHP, HTML, various images and three style sheets.

If we look at one of the php files: BiMaR.php, we see the following:

So far so normal, typical data collection forms shown and sending a couple of email addresses.

But if we look in detail, we see that line 4 is somewhat peculiar. The variable $messege is misspelled and is not used in the rest of the script, instead using the variable $message. Moreover, its value is a base64 encoded string. If the decode get this:

$send = "dopret2001@gmail.com.dopret2001@yahoo.com";

A couple of e-mail ... weird.

We analyze one of the files: details.php, and we are having another striking piece of code:

If you decode the string we get two email addresses:

anpyth@aol.com,e.b1952@menara.ma

Under this scenario, our first thought is that perhaps we are witnessing a backdoor, through which the creator of phishing data pack to steal their customers. To make matters worse, in that parts of the code file is somewhat strange: the first isn't very well formed and the second with the eval function is very suspect.

To go deeper into the analysis, we proceed to install the package into a web server and surf the fraudulent site, filling in the fields to see the behavior of the pack.

Once we reached the last step, and confirm the data, the page makes the expected private information sent via SMTP, with one exception: the destination addresses aren't any that we located in php files.

Quickly do a search of the addresses in the entire directory, including the images, but with negative results. Obviously, from somewhere have to leave all these directions, but ... where?

Listing directory that houses the images and style sheets can be seen that the size of one of the CSS file is much larger than others, so I edit. Everything seems normal until after the middle of a block file are unreadable, even appearing as Chinese characters, which obviously has all the hallmarks of being the cause of unexpected behavior.

We finished rolls up and review the PHP files to track and finally get results. The file AuthService.php has several functions that are somewhat cryptic calling each other forming a chain.

So we put a couple of "echos" in strategic places and presto!, Our friend appears before our eyes:

A code similar to the file BiMaR.php but with 6 different email addresses, which is where you actually send the stolen information.

usa813@inbox.com

usa813@easy.com

usa813@hotmail.fr

zoka_1845497@usa814.freezoka.com

usa813@excite.co.uk

usa813@gmx.com

We thus face a diversion of the phishers, which conjurers who put us in the eyes what they want to believe, while the actual operation beyond superficial looks.

An important fact which emerges from the analysis against the server is that within the same pages are also posing as the other two banks, Lloyds TSB:

And Bank of America, both with the same defense mechanism in the CSS.

As we see, the mechanisms used for phishing attacks also perfected every day, not just around their attack strategies, but also on their defense mechanisms, which in this case, running a diversion interesting.

10.2.10

Earlier this year saw the light in the underground black market that moves the axes of crimeware, a new application designed to provide feedback for criminal and fraudulent business.

This application, called SpyEye, is aimed at facilitating the recruitment of zombies and managing your network (C&C - Command and Control) through management panel via the web, from which it is possible to process the information obtained (intelligence) and stored in statistics, a common activity of criminal packages today.

Depending on their characteristics, very similar to those proposed by his counterpart ZeuS, SpyEye is presented as a potential successor to this within the scenario crimeware. Furthermore, it is evident that the criminal activities now represent a large business where cyber criminals and would-be cyber criminals abuse their "kindness".

This document describes the activities of SpyEye from the stage of infection giving relevant information about their purpose.

8.2.10

Phishing responds to a purely criminal activity, part of the circuit that drives the illegal business of crimeware, designed to steal money using the sensitive and private information from users that criminals obtained through non-sacred activities.

Therefore, as a preventive measure, it's important not to allow access to the domains that host usually banks cloned pages, webmail and any other Internet service through a process that requires authentication.

To that end, born Phishing database, a compendium of fraudulent domains for implementing a plunger of phishing, which can be used to create the block lists.

In this case, in the same living space there is a breach against eBay phishing and another against JPMorgan Chase Bank in the IP address 203.211.129.222. The site is controlled by a shell in php call !islamicshell v. edition ADVANCED!.

The truth is that in addition to web upload cloned, the attacker can quietly, such as spreading malware of any type hosted on the server which hosts the site, including (a very common and which tend to be used the shell php) defacing.